1. Technical Field
The present invention relates to a secure communication system and method for an Internet Protocol version 4/Internet Protocol version 6 (IPv4/IPv6) integrated network system.
2. Related Art
The Internet has taken a firm position as a core infrastructure of an information society. Due to development of a high quality of real-time service, such as Voice over Internet Protocol (VoIP) and Internet television (TV), traffic exchanged through the Internet has evolved from traffic containing text information to multimedia traffic containing voice information, image information, and video information, and its volume shows a tendency toward explosive increase.
The currently established Internet Protocol version 4 (IPv4)-based Internet employs a small piece of address information and a complicated header structure in order to accommodate rapidly increasing node and traffic. For this reason, traffic processing speeds of routers and nodes are delayed, and thus performance of the entire Internet is deteriorated.
Internet Protocol version 6 (IPv6) has been proposed to overcome this problem of the IPv4-based Internet, and has various features such as an expended address system of 128 bits, a simplified header structure, an improved quality of service (QoS), a reinforced secure system, and the like.
However, because the current Internet is widely operated based on an IPv4 network, it is impossible to replace the IPv4 network by an IPv6 network at the time. Thus, the IPv4 network will coexist with the IPv6 network for some time, and will be gradually replaced by the IPv6 network.
Accordingly, in order to successfully establish the IPv6 network, it is important for nodes and routers of the IPv6 network to coexist with those of the IPv4 network which is established at present.
In order to enable nodes connected to the IPv6 network to operate and communicate with nodes connected to the IPv4 network, an address translator for translation between an IPv6 address and an IPv4 address is required.
Currently, many translation technologies are standardized in the Internet Engineering Task Force (IETF), which is an Internet international standardization organization. Among them, two technologies, Network Address Translation-Protocol Translation (NAT-PT) and Dual Stack Transition Mechanism (DSTM), are on the rise.
In this regard, NAT-PT is a standard defined as RFC 2766 in the IETE, and specifies an IPv6-IPv4 address translation function.
An NAT-PT server is located at a boundary between the IPv6 network and the IPv4 network, and has an IPv4 address pool in which IPv4 addresses to be dynamically assigned to the IPv6 nodes are collected.
The NAT-PT server performs a network address translation (NAT) function of assigning the IPv4 address to the IPv6 node based on the IPv4 address pool when a session is initiated, and a protocol translation (PF) function.
Particularly, the NAT-PT server uses an IP header translation for translating header address information of a packet received from the IPv6 node.
There are modes for processing authentication between both opposite nodes performing IP communication. Among them, a Pre-Shared Key (PSK) mode inputs the same secret key into both nodes so as to thus process mutual authentication between both nodes.
Meanwhile, Security Architecture for the Internet Protocol (IPSec) has been developed to protect the IP, and provides a secure service such as confidentiality, data integrity, access control, data source authentication, and the like.
This IPSec should preset, maintain and manage information about a state (e.g. secure association (SA)) required by both nodes performing secure communication. The SA information may include a cipher algorithm, a key value, and the like.
Internet Key Exchange (IKE) rules have been developed, and they are adapted to flexibly and automatically set the SA between each node performing secure communication in a large-scale network. The IKE serves to perform signal authentication of both nodes performing secure communication, and to set the SA to be used for the IPSec.
However, it is impossible to perform secure communication, on the basis of the PSK mode, which is effective for mutual authentication between the IPv4 node and the IPv6 node on the IPv4/IPv6 integrated network.
In other words, in order to perform secure communication between the IPv4 node and the IPv6 node in the IPv4/IPv6 integrated network, each node sets the same identification information (e.g. the same identifier (ID)) and shared key according to the IKE rules.
At this point, the IKE rules make use of an IP address of the node as the ID in the case of an ID main mode, and an e-mail address or the like as the ID in the case of an ID aggressive mode.
However, because the NAT-PT server of the IPv4 node in the IPv4/IPv6 integrated network dynamically assigns the IPv4 addresses to the IPv6 nodes, the IPv4 node cannot know information on the IPv4 addresses assigned to the IPv6 nodes. Hence, it is impossible to perform secure communication on the basis of the PSK mode in the IPv4/IPv6 integrated network.
That is, secure communication is not supported through the ID main mode of the IKE rules in the IPv4/IPv6 integrated network, and it is impossible to perform secure communication complying with the IKE rules on the basis of the shared secret key according to the PSK mode.